Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Can't enable SSLv3

I am not sure what cipher suites you are using but from my point i would say if the company
use an cipher technology that is 16 years outdated they can as well use plain text.

I'm not using "cipher technology that is 16 years outdated". I am using Java 6u45 on Solaris 8, which although EOL and "old", is certainly not 16 years old.

Might want to take a look at the changelogs in Java 7 and Java 8.
There's been well over 800 (yes, eight hundred, this is not a typo) CVE's fixed since Java 6u45. 

Oracle made the decision to disable SSLv3 in all of their products (Including Solaris), when the Poodle vulnerability was announced (Oct 2014).
The 2 prior vulnerabilities Shellshock (Sept 2014) and Heartbleed (April 2014) had less of change by Oracle. (just pointing out the level of severity here).

And even before that, back in 2010, there were Security alerts about SSLv3 in Solaris 8.

Even to this day, you can get up to date patches for Solaris 8 that updates SUNWtls which forces SSLv3 to be disabled via the Oracle Solaris 8 Vintage Patch Service.

- Joakim


Back to the top